WannaCry and government agencies

Cybersecurity professionals have sounded the alarm for years, and they are again being proven right. When government agencies secretly find security vulnerabilities and develop exploits, they put everyone at risk.

Over the past week, the WannaCry ransomware worm exploded across 74 countries, infecting businesses, hospitals, universities, and many others. The worm encrypts files and demands the equivalent of $300 to $600 in Bitcoin to restore them.

The infection leverages a vulnerability in Microsoft operating systems, ranging from Windows XP to Windows 10 and Server 2016. While that is not unusual, what is unusual is that the exploit appears to have been originally developed by the NSA.

Imagine, just for a moment, that a government agency were to discover a hidden weakness in a car or aircraft. And, rather than notifying the manufacturer for immediate action, the agency developed a way to take over the vehicle remotely, with the intent of only using it against criminals, terrorists, and other hostiles.

There are three problems with this scenario:

First, public safety is reliant on keeping the vulnerability and exploit a highly controlled secret. Government agencies have a poor track record on this critical matter.

Second, each time the exploit is used, somebody, somewhere, will wonder what happened. There will be investigations. The more the exploit is used, the more attention it will garner. It is naive for any agency to believe that their exploit will not be discovered, analyzed, and copied. If an intelligence agency uses an exploit to attack terrorists and hostile governments, they are essentially handing them the clues required to find and leverage the same vulnerability.

Third, the agency’s belief that they alone have the capability to discover the vulnerability is seriously misguided. It is foolish for one of 196 countries to believe that their discovery will not be uncovered by another government, criminal organization, or independent security researcher.

If next week criminals started crashing cars or aircraft using a government-developed exploit, there would be public outcry, inquiries, political resignations, and lawsuits. The government employees involved would likely be the subject of a criminal investigation. The same type of accountability apparently doesn’t apply when individuals and businesses suffer losses due to government negligence with cyberweapons.

Microsoft released security update MS17-010 on March 14, 2017, which addressed the issue in supported versions of Windows. Then, on April 14, the Shadow Brokers hacker group released a stolen NSA exploit called EternalBlue, which exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. Users of Windows 8.1, Windows 10, Server 2012, Server 2016, and other currently supported operating systems were protected if they applied the March 14 patch. However, unsupported Windows XP, Windows 8, and Windows 2013 systems were not. When WannaCry began using the vulnerability to spread itself on May 12, it spread through these outdated systems like wildfire. Microsoft has since taken the unusual step of issuing an emergency patch for Windows XP, Windows 8, and Windows Server 2003.

In an added twist, a UK-based malware analysis expert who calls himself MalwareTech was running a sample of the malware in his analysis environment, and noticed it queried an unregistered Internet domain. As researchers often do, he registered the domain and pointed it to a sinkhole server. As it turns out, the existence of the URL caused WannaCry to stop executing.

“The reason which was suggested is that the domain is a ‘kill switch’ in case something goes wrong, but I now believe it to be a badly thought out anti-analysis,” he wrote. “In certain sandbox environments, traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as if it were registered.” In effect, MalwareTech stopped the attack by spending about $15 on a domain.

Law enforcement agencies around the globe should vigorously pursue the criminals responsible for WannaCry. Windows users should update their systems immediately, turn on automatic updates, and where necessary upgrade to a supported version of the operating system. Businesses that have erroneously decided against automatically applying Microsoft patches to Windows PCs, or who continue to run unsupported Windows operating systems, need to seriously reevaluate their priorities.

Many governments are engaged in the cyber arms race. Some Americans are understandably outraged that an agency of their government decided that creating cyberweapons was more important than protecting millions, and then failed to safeguard highly-classified information.

Canada should lead the way by shining a light on this dark issue. While most citizens are unaware of decisions being made on their behalf, we need transparency, public engagement, and appropriate oversight to prevent future tears.

About this author

Eric Jacksch is a leading cybersecurity analyst with over 20 years of practical security experience. He has consulted to some of the world's largest banks, governments, automakers, insurance companies and postal organizations. Eric is a regular columnist for IT in Canada and was a regular columnist for Monitor Magazine and has contributed to several other publications.